Education sector hardest hit by ransomware in 2020

The education sector has long been an attractive target for cybercriminals simply because it lacks a resilient IT infrastructure.
27 July 2021

The education sector was hit the most by ransomware in 2020 (Photo by Hector RETAMAL / AFP)

Despite the pandemic affecting most industries around the world in 2020, the education sector was able to continue operations by switching to online learning methods and remote learning. Be it schools, colleges, or universities, the ‘new normal’ learning curve meant adapting to newer technologies to be able to communicate with students, and ensure the learning process continues.

Apart from remote learning, the education sector happens to deal with high amounts of student data. When it comes to a fresh intake of students, or even current or past graduates, learning institutes make use of this data to make important decisions such as course preferences, learning outcomes, and career trajectories. And unsurprisingly enough, cybercriminals are all too aware of the value this data.

According to the Sophos State of Ransomware in Education 2021 report, the education sector was the hardest hit industry by ransomware in 2020. Ransomware has already been making headlines in other industries such as the recent Kaseya attack and the Colonial Pipeline ransomware incident.

Interestingly, REvil, the ransomware that attacked Kaseya, also affected schools in New Zealand. Reports in New Zealand showed that up to 11 schools were affected by the attack, disrupting their learning systems. The FBI and UK’s National Cyber Security center have also warned of spikes in ransomware attacks targeting schools.

In 2020, the financial impact of ransomware on education including downtime, lost opportunity, and ransom paid amounted to US$2.73 million on average. The amount is the highest compared to all sectors affected by ransomware, and are 48% higher than the global average.

Other notable findings from the report mentioned that: 

  • Over half (58%) of the education organizations hit by ransomware said the attackers had succeeded in encrypting their data
  • More than a third (35%) of those with encrypted data gave in to the attackers’ demands and paid the ransom. The energy, oil/gas and utilities, and local government sectors were more likely to pay
  • The average ransom payment was US$112,435 (lower than the global average of US$170,404). However, those who paid recovered on average only around two-thirds (68%) of their data, leaving almost a third inaccessible — and just 11% got all their encrypted data back
  • Of those institutions that were not hit with ransomware last year, the majority (61%) expect to be targeted in the future. The main reasons given for this are that cyberattacks are now so sophisticated and prevalent that they are virtually impossible to stop

According to Chester Wisniewski, a principal research scientist at Sophos, when education establishments had to switch to virtual learning environments on short notice, most of them had very little time to think about cybersecurity or even provide basic cybersecurity training for all the new remote users. This significantly increased the sector’s vulnerability and adversaries were quick to seize the opportunity, leaving victims with the huge financial impact of having to rebuild IT infrastructure from scratch.

The education sector has long been an attractive target for cybercriminals simply because it lacks a resilient IT infrastructure. For years, education institutions have not allocated higher budgets on improving their cybersecurity or even taking it seriously enough. Case in point, it is commonplace for university students using campus devices to often end up having malware infecting their assignments.

While remote learning is the expected norm right now, malware and ransomware can still affect emails, devices and hardware not just of students but of educationists as well. Risky online student behavior, such as downloading pirated software, also increases exposure to attack. The rapid switch to remote also limited opportunities for cybersecurity training for both teachers and students, while overloaded IT staff had limited availability to provide technical and security support.

2020 may have seen the education sector hit the hardest by ransomware. The education sector today, especially higher learning institutes need to ensure they have sufficient backup and recovery in place. This is to ensure that if they do fall victim to cybercriminals, they are able to recover quickly and not end up paying a high ransom. One of the biggest problems most organizations have is the lack of a sufficient backup and recovery capabilities from ransomware attacks.

Hopefully education institutes respond to this like a business would, treating any lost student data as a loss and breach of trust with their ‘customers’ the students in this case. Particularly centers of learning with high data volumes, and in industries vulnerable to cyber attacks, look to continuously improve their cybersecurity posture to be better equipped for future intrusions.